Sponsored Links

Cheap, Easy and Encrypted Backups With Time Machine on Leopard

I used Linux to make Time Machine work better than Apple intended. Read on for details of the
wonders of iSCSI.

Most Leopard users agree that Time Machine is a great way to back up your Mac; it's easy to set up,
it's automatic and it's easy to restore old files.

I have some special requirements (as usual!) which Time Machine can't meet in its standard
configuration:

Not encrypted: Time Machine backups are not encrypted, anyone who steals my external drive
could read my data. Using FileVault gets round this, but then my home directory is backed up only
when I am logged out. This is not acceptable.

Doesn't work with network shares: Many years ago I learned a hard lesson about not keeping backups
separate from the source data - a faulty power supply destroyed both my source and backup disk and
I lost everything. It's a good idea to at least store backups on a different machine.
There are hacks to enable Time Machine with network shares, but I have experienced inconsistent
results with this.

A bit about iSCSI

This is where iSCSI comes into the equation. Hopefully this diagram explains the mechanics of it:

The MacBook Pro is running an iSCSI initiator - think of this as an iSCSI client. It is used to
connect to the iSCSI target (the 'share') on the Debian Linux box. When the MacBook connects to
the iSCSI target for the first time it sees a blank disk which would be partitioned and erased in
exactly the same way as any physical disk. Crucially, Time Machine can't tell the difference
between an iSCSI disk and a real disk.

It is worth noting that iSCSI works at the block level, it is not a network share like AFP or
Samba/CIFS is. If two machines were to mount the disk at the same time they would corrupt it -
fortunately, this is impossible with the configuration I'm about to create.

Get on with it you fool

Yes, well all right. The first thing to do is find an old PC. Any old PC will do provided you can
stuff big enough disks in it. I chose an old HP mini-tower and then bought a
couple of extra 500GB SATA disks to go in it. I then installed Debian Etch on the first 80GB disk,
leaving the 500GB drives untouched. Annoyingly, the iSCSI
modules aren't available in Etch, so I dist-upgraded to Lenny. You could just as easily use the
latest Ubuntu if you prefer.

So, by this point you should have a pristine Debian Lenny or Ubuntu install working on the PC.

At this point I will build a RAID array. If you don't require RAID, skip to the encryption part
below.

Make sure the appropriate support is installed:

# apt-get install mdadm

Once you're sure you know the correct device names, instantiate the RAID:

As it stands, you will have to enter the password to decrypt the device each time the Linux machine
boots. This might be what you want - but my machine has no monitor most of the time so I use
a USB key instead. If I need to boot the machine I just insert the USB key to authenticate myself.

Now choose a file on your USB drive to be your keyfile. The content of the file is not important, it could be a text
document, an audio file, whatever. Just be aware that if even a single bit changes, the keyfile
is no longer valid. Obviously this should look like some random file you carry around, 'keyfile.txt'
would be a poor choice (duh)!

iSCSI itself

We now need to install the iSCSI tools and modules:

# apt-get install iscsitarget iscsitarget-modules-2.6-686

Now, edit /etc/ietd.conf:

# vi /etc/ietd.conf
IncomingUser made-up-user hard-password
# Target should be date YYYY-MM, fully qualified hostname (reversed) then, make up a disk name.
Target iqn.2009-01.spruce.san:disk2
IncomingUser made-up-user hard-password
# This is the device you just created with cryptsetup
# can also be a 'normal' device like /dev/sdb if you didn't encrypt
Lun 0 Path=/dev/mapper/crypt-raid,Type=fileio
# This is the default anyway - but let's be explicit!
MaxConnections 1

Now, restart the iSCSI service:

# /etc/init.d/iscsitarget restart

Believe it or not, that's all you have to do to the Linux box, head on over to the Mac.

Once your initiator is installed, go to System Preferences and configure it:

In the Targets tab, add your iSCSI target.

In the sessions tag, log in to your target.

If you open Disk Utility, you'll be able to see your iSCSI disk, you can erase it just as you would
any other disk. When you do so, Time Machine will ask whether you want to use it as your Time
Machine disk.

Enjoy your automated, encrypted resilient backups.

Footnotes

Encryption is only a good defence against physical, bare-metal attacks (someone steals your
server), it provides no protection against attacks on a running system.

If you forget your password and lose your keyfile, then there is no realistic way to recover
the data from your device. The only recourse would be to wait 25 years until computers
are powerful enough to brute force the encryption used.